Contributions

Hacking from the Inside-Out: Can the CFAA Impose Liability on Employees who Misuse Employer Data?

by Susan­na Grif­fith 1

Today, some of the most severe threats to com­put­er data­bas­es come from the inside. Employ­ees who receive access to expan­sive employ­er data­bas­es and sub­se­quent­ly act con­trary to the inter­ests of their employ­er cre­ate a unique cyber-secu­ri­ty threat. 2 But cir­cuits are split as to whether and how the Com­put­er Fraud and Abuse Act—the pri­ma­ry statute gov­ern­ing cyber crime and online fraud—should be applied in cas­es aris­ing from employ­ee mis­use and mis­ap­pro­pri­a­tion of data. Some adopt a broad inter­pre­ta­tion of the oper­a­tive phras­es of the CFAA—“without autho­riza­tion” and “exceeds autho­rized access”— choos­ing to use con­tract or agency prin­ci­ples to define “autho­riza­tion.” 3 Oth­ers draw a nar­row view and look for con­tra­ven­tion of tech­no­log­i­cal bar­ri­ers or oth­er explic­it para­me­ters gov­ern­ing access. 4 This arti­cle argues that the nar­row, code-based view is the prefer­able approach. First, it is the only clear­ly con­sti­tu­tion­al read­ing, as alter­nate the­o­ries are void for vague­ness and fed­er­al­ize tra­di­tion­al­ly state-gov­erned issues. Sec­ond, it pro­vides a con­sis­tent means of inter­pret­ing the terms “with­out autho­riza­tion” and “exceeds autho­rized access” that com­ports with stan­dards of excel­lence in the field of cyber-secu­ri­ty and pro­vides a way for employ­ers to safe­guard their data.

*****

The Com­put­er Fraud and Abuse Act, 18 U.S.C. § 1030, was enact­ed as an amend­ment to the Coun­ter­feit Access Device and Com­put­er Fraud and Abuse (Coun­ter­feit Access Device) Act of 1984, the fed­er­al anti-hack­ing statute. 5 The CFAA impos­es crim­i­nal lia­bil­i­ty on who­ev­er “inten­tion­al­ly access­es a com­put­er with­out autho­riza­tion or exceeds autho­rized access, and there­by obtains . . . infor­ma­tion from any depart­ment or agency of the Unit­ed States.” 6

The cir­cuits adopt­ing a broad view of the CFAA artic­u­late a con­tract-based and/or agency-based view. The for­mer defines autho­riza­tion accord­ing to con­trac­tu­al terms agreed upon between employ­er and employ­ee, and the lat­ter says that access that vio­lates a fidu­cia­ry duty is unau­tho­rized access. 7

The debate about the prop­er role of agency prin­ci­ples is not unfa­mil­iar in the fraud con­text. Indeed, it par­al­lels a recent debate in mail and wire fraud pros­e­cu­tions about whether a breach of fidu­cia­ry duty is a de fac­to depri­va­tion of a right to hon­est ser­vices. 8 In the mail and wire fraud con­text, cir­cuit courts were split over the role of agency law in inter­pret­ing hon­est ser­vices wire fraud until the Supreme Court adopt­ed a nar­row view in Skilling v. Unit­ed States. 9 Pri­or to Skilling, many courts found that a breach of fidu­cia­ry duty aris­ing from an agency rela­tion­ship was suf­fi­cient to con­sti­tute a depri­va­tion of the “intan­gi­ble right” to hon­est ser­vices. 10 How­ev­er, this view turns the Restate­ment of the Law of Agency into fed­er­al crim­i­nal law, with­out any jus­ti­fi­ca­tion from Con­gress, and the Supreme Court cor­rect­ly over­ruled it. 11

The same broad­ness con­cerns apply in the com­put­er fraud con­text: appli­ca­tion of agency prin­ci­ples to com­put­er fraud pros­e­cu­tions has the poten­tial to dras­ti­cal­ly expand lia­bil­i­ty by crim­i­nal­iz­ing an unfore­see­able range of employ­ee activ­i­ty. For exam­ple, an employ­ee who checks per­son­al email or brows­es the inter­net while on the clock may be act­ing in a man­ner con­trary to the inter­ests of her employ­er, but should she be crim­i­nal­ly liable for it? The agency view poten­tial­ly allows charges to be brought against any employ­ee who “use[s] an employer’s com­put­er for any­thing oth­er than work relat­ed activ­i­ties.” 12

The con­tract-based view cre­ates addi­tion­al con­cerns. First, an employ­er con­tract may ban cer­tain types of speech or expres­sion. Allow­ing a breach of that con­tract to lead to CFAA lia­bil­i­ty could have chill­ing effects on speech. 13 Sec­ond, as not­ed in the Ninth Circuit’s en banc deci­sion in Unit­ed States v. Nos­al, the broad, con­tract-based read­ing of the CFAA “allows pri­vate par­ties to manip­u­late their com­put­er-use and per­son­nel poli­cies so as to turn these rela­tion­ships into ones policed by the crim­i­nal law. 14” Final­ly, as the court in Nos­al described, a broad­er alter­nate read­ing, “would trans­form the CFAA from an anti-hack­ing statute into an expan­sive mis­ap­pro­pri­a­tion statute.” 15 While employ­ee mis­use of elec­tron­ic data is a con­cern for many employ­ers, the CFAA can­not func­tion as a secu­ri­ty blan­ket for data breach­es. Suits against dis­loy­al employ­ees can be brought at the state lev­el and gov­erned by con­tract law, tort law, and trade secret statutes. 16 A con­tract-based read­ing of the CFAA opens the flood­gates to allow breach of con­tract claims into fed­er­al court. 17

Beyond con­tract- and tort-based claims, a leg­isla­tive arse­nal can and should pro­vide addi­tion­al tools for secur­ing employ­er data­bas­es and pro­tect­ing against employ­ee mis­use. In fact, Con­gress added a pro­vi­sion gov­ern­ing mis­use to the CFAA, impos­ing felony lia­bil­i­ty on who­ev­er “know­ing­ly caus­es the trans­mis­sion of a pro­gram, infor­ma­tion, code, or com­mand, and as a result of such con­duct, inten­tion­al­ly caus­es dam­age with­out autho­riza­tion, to a pro­tect­ed com­put­er.” 18 Because Con­gress has leg­is­lat­ed in this space, courts should refrain from read­ing extra-leg­isla­tive use restric­tions into the CFAA’s pro­vi­sions regard­ing access.

The broad inter­pre­ta­tion of the CFAA is unset­tling at best and like­ly uncon­sti­tu­tion­al on vague­ness grounds. 19 There is, how­ev­er, an alter­na­tive that is faith­ful to the pur­pose of the CFAA, con­sis­tent with the plain text, and effec­tive in cre­at­ing incen­tives for secure com­put­er sys­tems. This clear alter­na­tive is the code-based view. 20

Code-based restric­tions put the impe­tus on the com­put­er own­er to cus­tomize and con­trol access priv­i­leges to employ­ee-users. As Pro­fes­sor Orin Kerr explains, “[Com­put­er own­ers] assign priv­i­leges based on the par­tic­u­lar account, lim­it­ing where the user can go and what she can do.” 21 By pass­word pro­tect­ing data­bas­es, employ­ers can exer­cise con­trol over the infor­ma­tion avail­able to each indi­vid­ual employ­ee. 22 The code-based the­o­ry would impose CFAA lia­bil­i­ty on some­one who ille­gal­ly obtained a pass­word or cir­cum­vent­ed a tech­no­log­i­cal bar­ri­er in order to gain, or expand, access to a data­base. 23

Crit­ics of the code-based view argue that this stan­dard will make it hard­er for employ­ers to bring charges against employ­ees who mis­ap­pro­pri­ate com­pa­ny data. They may not be mis­tak­en. As explained by schol­ars advo­cat­ing the approach, “under the code-based the­o­ry, a user can only vio­late the CFAA by cir­cum­vent­ing bar­ri­ers and can­not vio­late the CFAA sim­ply by act­ing con­trary to his employer’s inter­ests or breach­ing an employ­ment pol­i­cy.” 24 But while adopt­ing a code-based view insu­lates those who mis­use law­ful­ly accessed data from being pros­e­cut­ed under an anti-hack­ing statute, it does not free them from any lia­bil­i­ty what­so­ev­er. 25 An employ­ee may be found liable through state con­tract or tort claims.

Anoth­er cri­tique is that the code-based the­o­ry is nei­ther required by the text of the CFAA nor con­tem­plat­ed by its leg­isla­tive his­to­ry. How­ev­er, the code-based the­o­ry is more faith­ful to both text and his­to­ry. It makes sense of the word­ing of sec­tion 1030, which pro­hibits unau­tho­rized “access” rather than unau­tho­rized “use.” Fur­ther­more, the code-based the­o­ry is con­sis­tent with Con­gress’ expressed desire to encour­age com­put­er own­ers to pro­tect their own net­works. 26

An addi­tion­al advan­tage of the code-based view is that it aligns with cyber-secu­ri­ty stan­dards for man­age­ment of data. Cyber-secu­ri­ty schol­ars uni­form­ly sug­gest that employ­ers grant access only to the infor­ma­tion employ­ees need to do their jobs. 27 When some­one is trans­ferred or pro­mot­ed, their access should be increased or decreased accord­ing­ly. 28 This prac­tice shields com­pa­nies from inter­nal mis­ap­pro­pri­a­tion of data as well as exter­nal hacks, which can lead to dev­as­tat­ing secu­ri­ty breach­es. The code-based the­o­ry aligns with indus­try best prac­tices for safe­guard­ing employ­er data­bas­es by giv­ing com­pa­nies incen­tives to adopt ex ante safe­guards by lim­it­ing access to the employ­ees who need it. Simul­ta­ne­ous­ly, it pre­serves ex post reme­dies by giv­ing com­pa­nies a civ­il cause of action against those who breach tech­no­log­i­cal safe­guards. 29

In sum­ma­ry, the code-based view is a bet­ter alter­na­tive to the broad­er inter­pre­ta­tions of the CFAA. It respects Con­gress’ deci­sion to crim­i­nal­ize “access” rather than “use,” while pro­vid­ing ade­quate means for employ­ers to safe­guard their own data­bas­es.

Notes:

  1. This Con­tri­bu­tion reflects my expe­ri­ence in the 2016 Spong Moot Court Tour­na­ment, host­ed by William & Mary Law School. The prob­lem was about a for­mer employ­ee of the Cen­ter for Dis­ease Con­trol and Pre­ven­tion who, in the course of his work as a data ana­lyst, dis­cov­ered infor­ma­tion about a poten­tial­ly dan­ger­ous pathogen. He pro­posed that the Cen­ter for Dis­ease Con­trol and Pre­ven­tion (CDC) release the infor­ma­tion to the pub­lic, and when his pro­pos­al was reject­ed and he was trans­ferred to anoth­er depart­ment, he accessed and released the infor­ma­tion any­way. The fact pat­tern raised the ques­tion of whether this employee—who accessed the infor­ma­tion using valid­ly obtained cre­den­tials, yet in vio­la­tion of use restric­tions and direct instruc­tions from his employer—could be con­vict­ed under the Com­put­er Fraud and Abuse Act, 18 U.S.C. § 1030, for access­ing data “with­out autho­riza­tion” or “exceed[ing] autho­rized access.”
  2. See Richard Pow­er, Cur­rent and Future Dan­ger: A CSI Primer on Com­put­er Crime and Infor­ma­tion War­fare 4, 6, 36, 3d ed. 1998, cit­ed in Mary M. Calkins, Note, They Shoot Tro­jan Hors­es, Don’t They? An Eco­nom­ic Analy­sis of Anti-Hack­ing Reg­u­la­to­ry Mod­els, 89 Geo. L.J. 171, 175 n. 17 (2000).
  3. See, e.g., Unit­ed States v. John, 597 F.3d 263, 273 (5th Cir. 2010) (hold­ing bank employ­ee liable for access­ing cus­tomer account infor­ma­tion and giv­ing it to her half-broth­er for fraud­u­lent pur­pos­es because the employ­ee had “rea­son to know” that she was not autho­rized to access data or infor­ma­tion in fur­ther­ance of a crim­i­nal­ly fraud­u­lent scheme); Int’l Air­port Ctrs., LLC v. Cit­rin, 440 F.3d 418, 421 (7th Cir. 2006) (find­ing for­mer employ­ee act­ed with­out autho­riza­tion when he breached his fidu­cia­ry duty to his employ­er by delet­ing data from a com­pa­ny lap­top); EF Cul­tur­al Trav­el BV v. Explor­i­ca, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (hold­ing employ­ee exceed­ed autho­rized access when he breached an employ­er con­fi­den­tial­i­ty agree­ment by using pro­pri­etary infor­ma­tion to sup­port his own com­pet­ing busi­ness).
  4. See, e.g., WEC Car­oli­na Ener­gy Sols. v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (hold­ing employ­ee did not exceed autho­rized access and there­by vio­late the CFAA, because the employ­er pol­i­cy reg­u­lat­ed use of infor­ma­tion, not access); Unit­ed States v. Nos­al, 676 F.3d 854, 863–64 (9th Cir. 2012) (hold­ing employ­ee does not exceed autho­rized access just by vio­lat­ing employ­er use restric­tions); LVRC Hold­ings LLC v. Brek­ka, 581 F.3d 1127, 1137 (9th Cir. 2009) (hold­ing employ­ee who sent com­pa­ny emails to his per­son­al accounts for unau­tho­rized pur­pos­es was not liable under the CFAA because he nei­ther accessed the emails with­out autho­riza­tion nor exceed­ed autho­rized access).
  5. See Coun­ter­feit Access Device and Com­put­er Fraud and Abuse (Coun­ter­feit Access Device) Act of 1984, Pub. L. No. 98–473, 98 Stat. 2190; HR. Rep. No. 98–894, at 3706 (1984). See also Brig­gs v. State, 704 A.2d 904, 911 (Md. 1998) (“The pur­pose of the bill is to deter indi­vid­u­als from break­ing into com­put­er sys­tems.” (inter­nal cita­tions omit­ted)).
  6. 18 U.S.C. § 1030(a)(2)(B) (2012) (empha­sis added).
  7. See, e.g., Dress­er-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013) (describ­ing three cat­e­gories of inter­pret­ing the CFAA: agency-based autho­riza­tion, code-based autho­riza­tion, and con­tract-based autho­riza­tion).
  8. Com­pare Unit­ed States v. Brum­ley, 116 F.3d 728, 735 (5th Cir. 1997) (hold­ing that sec­tion 1346 only pro­hibits con­duct barred by sep­a­rate state law), with Unit­ed States v. Mar­tin, 195 F.3d 961, 966–67 (7th Cir. 1999) (find­ing that a broad breach of fidu­cia­ry duty is suf­fi­cient to estab­lish a sec­tion 1346 vio­la­tion). See also Unit­ed States v. Sun Dia­mond Grow­ers of Cal­i­for­nia, 138 F.3d 961, 973 (D.C. Cir. 1998), aff’d, 526 U.S. 398 (1999) (“Aware of the risk that fed­er­al crim­i­nal lia­bil­i­ty could metas­ta­size, we held . . . that not every breach of a fidu­cia­ry duty works a crim­i­nal fraud.” (inter­nal quo­ta­tions omit­ted)).
  9. 561 U.S. 358 (2010).
  10. See Mar­tin, 195 F.3d at 965–67 (cit­ing 18 U.S.C. § 1346).
  11. See Julie R. O’Sullivan, Hon­est-Ser­vices Fraud: A (Vague) Threat to Mil­lions of Bliss­ful­ly Unaware (and Non-Cul­pa­ble) Amer­i­can Work­ers, 63 Vand L. Rev. En Banc 23 (2010).
  12. Orin S. Kerr, Cybercrime’s Scope: Inter­pret­ing “Access” and “Autho­riza­tion” in Com­put­er Mis­use Statutes, 78 N.Y.U. L. Rev. 1596, 1634 (2003). See also Patri­cia L. Bel­lia, Defend­ing Cyber­prop­er­ty, 79 N.Y.U. L. Rev. 2164, 2255–58 (2004) (advo­cat­ing for a nar­row read­ing of the CFAA to avoid “creat[ing] . . . statu­to­ry anom­alies” and crim­i­nal­iza­tion of “a broad range of con­duct, even an employee’s use of a com­put­er for per­son­al activ­i­ties in vio­la­tion of an employer’s pol­i­cy.”).
  13. Kerr, supra note 12, at 1659.
  14. Nos­al, 676 F.3d at 860.
  15. Id. at 857.
  16. See Stephanie Greene & Chris­tine Ney­lon O’Brien, Exceed­ing Autho­rized Access in the Work­place: Pros­e­cut­ing Dis­loy­al Con­duct Under the Com­put­er Fraud and Abuse Act, 50 Am. Bus. L.J. 281, 283–84 (2013). See also Nos­al, 676 F.3d at 860 (“Employ­er-employ­ee . . . rela­tion­ships are tra­di­tion­al­ly gov­erned by tort and con­tract law.”).
  17. See, e.g. Sarah Boy­er, Com­put­er Fraud and Abuse Act: Abus­ing Fed­er­al Juris­dic­tion?, 6 Rut­gers J. L. & Pub. Pol’y 661, 662 (2009) (“[T]he issues of ‘unau­tho­rized use’ or ‘dam­age or loss’ . . . should be con­strued nar­row­ly in order to keep this type of employer/former employ­ee action out of fed­er­al court. Oth­er­wise, the fed­er­al court sys­tem will be over­run with claims by employ­ers against their for­mer employ­ees.”).
  18. 18 U.S.C. § 1030(a)(5)(A).
  19. See, e.g., Orin S. Kerr, Vague­ness Chal­lenges to the Com­put­er Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1582 (2010) (“Only a nar­row con­struc­tion of the statute can save its con­sti­tu­tion­al­i­ty.”). See also Unit­ed States v. Valle, 807 F.3d 508, 527 (2d Cir. 2015) (revers­ing a CFAA con­vic­tion on grounds that it vio­lates the rule of leni­ty); Miller, 637 F.3d at 206 (reject­ing broad con­struc­tion of the CFAA based on the rule of leni­ty).
  20. See gen­er­al­ly Kerr, supra note 12, at 1644.
  21. Id. (cit­ing Lawrence Lessig, Code and Oth­er Laws of Cyber­space 66–78 (1999) (dis­cussing abil­i­ty of com­put­er own­ers to use code to reg­u­late user access)).
  22. Kerr, supra note 12, at 1644.
  23. Id.
  24. See Kelsey T. Pat­ter­son, Note, Nar­row­ing it Down to One Nar­row View: Clar­i­fy­ing and Lim­it­ing the Com­put­er Fraud and Abuse Act, 7 Charleston L. Rev. 489 (2013) (cit­ing Kerr, supra note 12, at 1644–45).
  25. See Unit­ed States v. Aleynikov, 737 F. Supp. 2d 173, 194 (S.D.N.Y. 2010) (dis­miss­ing CFAA charges against a defen­dant charged with mis­ap­pro­pri­at­ing source code belong­ing to his for­mer employ­er, while declin­ing to dis­miss charges under the Eco­nom­ic Espi­onage Act of 1996 and the Nation­al Stolen Prop­er­ty Act).
  26. See 146 Cong. Rec. S10, 916 (dai­ly ed. Oct. 24, 2000) (state­ment of Sen. Leahy).
  27. See Lessig, supra note 21. See also Vic­to­ria C. Wong, Cyber­se­cu­ri­ty, Risk Man­age­ment, and How Busi­ness­es Can Effec­tive­ly Ful­fill Their Mon­i­tor­ing Role, 15 U.C. Davis Bus. L.J. 201 (Spring 2015) (cit­ing Cre­at­ing a Cul­ture of Aware­ness, Nat’l Cyber Secu­ri­ty Alliance, http://staysafeonline.org/re-cyber/creating-a-culture-of-awareness (last vis­it­ed Mar. 15, 2016 8:27 PM)).
  28. Id.
  29. The 1994 amend­ment to the CFAA added a civ­il cause of action. 18 U.S.C. § 1030(g).